Wednesday, 24 June 2020

Using .NET Standard CSOM and MSAL.NET for App-Only auth in SharePoint Online

So after long last, the .NET Standard version of SharePoint Online CSOM was released yesterday! The official announcement can be found here: https://developer.microsoft.com/en-us/microsoft-365/blogs/net-standard-version-of-sharepoint-online-csom-apis/

One of the key differences compared to the .NET Framework CSOM was that the authentication is completely independent of CSOM library now. Previously, there were native classes like SharePointOnlineCredentials which were used for auth, but they have been removed now.

Since .NET Standard CSOM now uses OAuth for authentication, it's up to the developer to get an access token and pass it along with the call to SharePoint Online. The CSOM library does not care how the access token was fetched. 

So in this post, let's have a look at getting an Application authentication (aka App-Only) access token using MSAL.NET and use it with the new .NET Standard CSOM to get data from SharePoint Online.

When making app-only calls to SharePoint Online, we can either use an Azure AD app registration (with the Client Certificate) or we can use SharePoint App-Only authentication created via the AppRegNew.aspx and AppInv.aspx pages. (There are other workarounds available but that would be out of scope for this post) I go into more details about this in my previous post: Working with Application Permissions (App-Only Auth) in SharePoint Online and the Microsoft Graph

The recommended approach is to go with an Azure AD App Registration and the Client Certificate approach so that is what we will be using. To do that, first we will need to create an App Registration in the Azure AD portal and configure it with the Certificate, SPO API permissions etc. Here is a detailed walk-through on this in the Microsoft docs: https://docs.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly-azuread 

Let's have a look at a few important bits of my Azure AD app registration:

The certificate:


The consented SharePoint permissions:



Once the Azure AD App Registration is configured correctly, we can start looking at the code. 

We will be using a .NET Core 3.1 Console app project for this along with the following nuget packages:



And finally, here is the code which uses MSAL.NET to get the access token and attaches it to the .NET Standard CSOM requests going to SharePoint:

using Microsoft.Identity.Client;
using Microsoft.SharePoint.Client;
using System;
using System.Security.Cryptography.X509Certificates;
using System.Threading.Tasks;
namespace CSOM.NET.Standard.Test
{
class Program
{
static async Task Main(string[] args)
{
string siteUrl = "https://tenant.sharepoint.com/sites/MyAwesomeSite";
string clientId = "<client-id-of-aad-app-registration>"; //e.g. 01e54f9a-81bc-4dee-b15d-e661ae13f382
string certThumprint = "<your-cert-thumbprint>"; // e.g. CE20E000D53A4C968ED8BA3EFC92C40A2692AE98
//For SharePoint app only auth, the scope will be the SharePoint tenant name followed by /.default
var scopes = new string[] { "https://tenant.sharepoint.com/.default" };
//Tenant id can be the tenant domain or it can also be the GUID found in Azure AD properties.
string tenantId = "tenant.onmicrosoft.com";
var accessToken = await GetApplicationAuthenticatedClient(clientId, certThumprint, scopes, tenantId);
var clientContext = GetClientContextWithAccessToken(siteUrl, accessToken);
Web web = clientContext.Web;
clientContext.Load(web);
clientContext.ExecuteQuery();
Console.WriteLine(web.Title);
}
internal static async Task<string> GetApplicationAuthenticatedClient(string clientId, string certThumprint, string[] scopes, string tenantId)
{
X509Certificate2 certificate = GetAppOnlyCertificate(certThumprint);
IConfidentialClientApplication clientApp = ConfidentialClientApplicationBuilder
.Create(clientId)
.WithCertificate(certificate)
.WithTenantId(tenantId)
.Build();
AuthenticationResult authResult = await clientApp.AcquireTokenForClient(scopes).ExecuteAsync();
string accessToken = authResult.AccessToken;
return accessToken;
}
public static ClientContext GetClientContextWithAccessToken(string targetUrl, string accessToken)
{
ClientContext clientContext = new ClientContext(targetUrl);
clientContext.ExecutingWebRequest +=
delegate (object oSender, WebRequestEventArgs webRequestEventArgs)
{
webRequestEventArgs.WebRequestExecutor.RequestHeaders["Authorization"] =
"Bearer " + accessToken;
};
return clientContext;
}
private static X509Certificate2 GetAppOnlyCertificate(string thumbPrint)
{
X509Certificate2 appOnlyCertificate = null;
using (X509Store certStore = new X509Store(StoreName.My, StoreLocation.CurrentUser))
{
certStore.Open(OpenFlags.ReadOnly);
X509Certificate2Collection certCollection = certStore.Certificates.Find(X509FindType.FindByThumbprint, thumbPrint, false);
if (certCollection.Count > 0)
{
appOnlyCertificate = certCollection[0];
}
certStore.Close();
return appOnlyCertificate;
}
}
}
}
view raw CSOM.Standard.MSAL.Auth.cs hosted with ❤ by GitHub

Note: Make sure that you are using the right way to access the certificate as per your scenario. Here, for demo purposes, I have installed the certificate to my local machine and I am accessing it from there. In production scenarios, it's recommended to store the certificate in Azure Key Vault. More details here

And when I run the code, I am able to get the title of my SharePoint site back:
 

Hope you found this post useful! I am very glad .NET CSOM Standard is finally available and we are able to use it .NET Core projects going forward. This is going to make things so much easier!
Posted by at 28 comments:
Labels: , , , , ,

Monday, 22 June 2020

Using the Microsoft Search API (preview) to query SharePoint content

The new Microsoft Search API (preview) has been available in the Graph beta endpoint for a while now. If you haven't had a chance to look at the API yet, the docs explain it quite nicely:

"The Microsoft Search API provides one unified search endpoint that you can use to query data in the Microsoft cloud - messages and events in Outlook mailboxes, and files on OneDrive and SharePoint - that Microsoft Search already indexes."

And it's also currently planned that Microsoft Teams search will also be transitioned to use Microsoft Search in the future: https://twitter.com/williambaer/status/1273644094904872960



Considering everything, it looks like Microsoft Search will play an important role in Microsoft 365 solutions going forward. Given this, I decided to check out the Graph API .NET SDK late last year to try and search SharePoint files. But quickly stumbled on a roadblock which did not allow the API to work with the SDK: https://github.com/microsoftgraph/msgraph-beta-sdk-dotnet/issues/43 

Fortunately, the issue was fixed recently and we are able to use the .NET Graph SDK for testing. 

The code:

Let's see how can we search SharePoint Online content using the new Microsoft Search API:

For this code to work, you will need the Microsoft.Graph.Beta nuget package:

We are going to use the KQL sytax with the Microsoft Graph Search API to query SharePoint Modern pages in a tenant. Once the query completes, we will display the page name and page url in the console:

using Microsoft.Graph;
using System;
using System.Collections.Generic;
using System.Linq;
using System.Net.Http.Headers;
using System.Threading.Tasks;
namespace Graph.Workbench
{
class Program
{
public static async Task Main(string[] args)
{
var graphClient = GetGraphClient();
var requests = new List<SearchRequestObject>()
{
new SearchRequestObject
{
EntityTypes = new List<EntityType>()
{
EntityType.DriveItem
},
Query = new SearchQuery
{
Query_string = new SearchQueryString
{
//KQL syntax to get all SharePoint modern pages. Use regular KQL here: https://docs.microsoft.com/en-us/sharepoint/dev/general-development/keyword-query-language-kql-syntax-reference
Query = "ContentTypeId:0x0101009D1CB255DA76424F860D91F20E6C4118* contentclass:STS_ListItem_WebPageLibrary"
},
},
From = 0,
Size = 25
}
};
var result = await graphClient.Search.Query(requests).Request().PostAsync();
if (result.CurrentPage.Count > 0)
{
if (result.CurrentPage[0].HitsContainers.Count() > 0)
{
var hitContainer = result.CurrentPage[0].HitsContainers.First();
if (hitContainer.Hits != null)
{
foreach (var hit in hitContainer.Hits)
{
var spItem = hit._source as DriveItem;
Console.WriteLine($"{spItem.Name} : {spItem.WebUrl}");
}
}
}
}
}
private static GraphServiceClient GetGraphClient()
{
//Deletegated access token requied for calling the Microsoft Search API. You can use a variety of ways to get the access token. For demo, I have just copied it from the Graph explorer: https://developer.microsoft.com/en-us/graph/graph-explorer/
var accessToken = "eyJ0eXAiOiJKV1QiLCJXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX";
var graphClient = new GraphServiceClient(
new DelegateAuthenticationProvider(
requestMessage =>
{
requestMessage.Headers.Authorization = new AuthenticationHeaderValue("bearer", accessToken);
return Task.CompletedTask;
}));
return graphClient;
}
}
}
view raw MicrosoftSearch.Graph.SDK.cs hosted with ❤ by GitHub
Considerations:

Although it works great, there are a few considerations currently:

  • The API only works with delegated access for now i.e. with a user context. Application permissions are not supported.
  • When searching SharePoint Online content, we are not able to specify fields to return in the result. Only a default set of fields can be returned.
  • There is no custom sorting available as of now when it comes to SharePoint content. The content is sorted by default by relevance.

Hope you found this post useful and helps you get started with the Microsoft Search API. To read up more on the Microsoft Search API in Graph, have a look here:
Posted by at 2 comments:
Labels:
Subscribe to: Posts (Atom)